Thursday, May 19, 2011

The barriers to real use of true SSL named-based virtual hosting continue to fall. Android Honeycomb supports SNI! Hey Microsoft- where's the IIS support? Apache's had SNI support forever, and Chrome, FF, and IE8 support it now. You guys are the ones holding up the parade!

Background

Name-based virtual hosting is what makes private-branded cloud services and shared-tenant server hosting reasonable- rather than requiring a single IP address per hostname, many hostnames are mapped to a single IP with DNS CNAMEs. The webserver looks at the HTTP Host: header sent by the client's browser when deciding which site's content to serve. This falls apart with SSL, though, since the target hostname is baked into the certificate, and the SSL handshake occurs before the HTTP Host: header is available. SNI is the solution to this problem. It allows the hostname the client expects to be sent as part of the SSL handshake process, so the SSL server can select which certificate to present. The only workaround right now (short of one IP address per hosted domain) is the use of the SAN attribute (Subject Alternate Name), which allows a certificate to present a list of hosts that are valid- this doesn't scale well, and requires the hosting entity to obtain a new certificate for subjects they don't own every time they add a new hosted domain to a server. We've always said, "no way" when customers want us to private-label host Earth Class Mail under their domain, for this exact reason.